The Botnet is the biggest threat to current networks of operators. Most distribution denial of service (DDoS) attacks are initiated by the Botnet and pose great threats to telecom operators and their users. A controlled zombie host becomes a hotbed for malicious websites and junk mails, and also causes great information disclosures and economic losses.
Among the conventional Botnet detection technologies, an effective technology is behavior-based detection. This technology uses a single host as the detection target, detects a communication plane and a behavior plane, and performs cluster analysis on detection results. Then, the technology performs correlation analysis to judge whether the single host is infected and determine abnormal activities performed by the single host if the single host is infected. The detection on the communication plane focuses on data streams, and detects the communication features of the Internet Protocol (IP) layer and transport layer. The detection on the behavior plane judges, according to various behaviors of the single host, whether the host performs such suspicious behaviors as downloading malicious software, scanning, and sending malicious software or a junk mail, and then judges whether the host is infected. This technology is used to observe and analyze various behaviors of a single host or other network devices, and make a judgment according to the network communication behaviors of the host. However, when a network address translation (NAT) device exists, the access side of an operator cannot identify a single host on a private network from a user gateway. Therefore, it cannot be determined that network behaviors are initiated by one host on a private network.